We have taken a thorough look at the Caja system for protecting a root site or container (and its associated users) from third-party code being hosted on it. Now that we are looking at a lighter solution to the same issue—ADsafe—we will inevitably need to answer the question of which one we should use. Let’s look at our choices in a little more depth.

I categorize ADsafe into the semitrust bucket. What I mean by this is that ADsafe does a good job of removing many of the major tools that a malicious developer could use to attack a user. This does not mean that ADsafe takes into account and adjusts for all attack vectors; it just means ADsafe takes away a lot of the sharpest knives from the developer. When I say semitrust bucket, I am referring to the level of trust you have in the third-party code being hosted. ADsafe makes a great system if you partially trust the code that will be hosted, as you would in the case of ads. You trust that the source is a legitimate ad company, but you may not be entirely confident that it will never have an issue with its ads that affects your site (i.e., the site that the ads are hosted on). This is the perfect use case for ADsafe: when you have a limited trust relationship with the source of the content being hosted, and you know where the content may be coming from. The impact on developers building code to exist within an ADsafe object is minimal, and users are fairly well protected from malicious ...